terminate eap-ttls

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 19 17:01:14 CEST 2013

On 19/06/13 14:54, adrian.p.smith at bt.com wrote:
>>> What I really need to do is proxy the inner message to another
>>> Radius server which will do the authentication but I cannot get
>>> this to work. Whatever I try, I always see an EAP-Message avp
>>> heading off to the remote server. I have looked at the
>>> proxy-inner-tunnel virtual server but am unsure how to use it.
>> This *is* proxying the inner tunnel; the inner tunnel auth is also
>> EAP, and you're sending it to the remote server.
> Thanks, this is NOT what I want to do. I want to send the inner
> message, not the tunnel and do PAP on the remote server.

You can only do PAP on the remote server if your inner auth method was 
PAP. Basically, this means EAP-TTLS/PAP.

Doing that is simple:

server inner-tunnel {
   authorize {
     update control {
       Proxy-To-Realm := THEREALM

If this isn't working, send a debug from "radiusd -X"

More information about the Freeradius-Users mailing list